Very rarely do you see the people at the top having the real knowledge of their field. The number of people I know in a CTO or CISO role that are qualified or educated in security matters, I actually can't name any, but I'm sure it's not 0. I've been in meetings where a CTO level person will complain that 2FA is slowing down the login process, so we need to remove it. I've been in a meeting with a CISO, where I was told (paraphrased): “Don't send PGP keys with your emails, they're scaring the client (who was another CISO), and we might lose the contract.”.

You could ask, well, do you only know one CTO and one CISO? No, I know at least three dozen CTO's, and maybe two dozen CISO's, or people at that level. I've heard statements so mind-blowingly stupid, that I laughed, thinking they were joking, and had them whip back with attitude. I've been told:

“Remove all IP based filtering on the RDP connections on the firewall, it's too difficult to update that stupid field.”, what?!

“This stupid server can't run Linux, it's too difficult to use, put Windows on it, and we'll share the same account across the company.”, no!.

”We can't use MFA, it's slowing down the login process, and I have stuff to do!”.

”That stupid PGP thing, it's messing up Outlook, stop using it!”, no, just use a professional email client.

And it goes on, and on, and on. I'm not surprised, at all, this happened, it's par for the course, it's these people you have to stop from acting on their own. I've literally setup fake admin actions, on dummy portals for these people, then I capture what they're trying to do, and do it proper myself, and honestly, it's saved my ass so many times I've lost count. I've revoked admin access from these people, and in only one case did they noticed, but all of them demanded they have a wide open, unrestricted admin level, across everything.

Multiple red flags:

1. PowerBI?

What are you doing with PowerBI? PowerBI is analytics for people who don't understand numbers, or what a data point is. PowerBI is about making “pretty pictures” you can look at to fake competence. If you're using PowerBI as an analytics tool, you're not interested in analytics, you're interest “pretty pictures”, free from any form of data understanding or insight.

2. Microsoft!

On their best day, they can't send an email that doesn't look like spam. I don't even bother to respond to them, and I will never click a link or take action, using the email as a source of truth, for anything. Our CSM had to call me, and convince me over Teams to click on a link in a request email from them. When I showed him the email, and how scummy, scammy, and unprofessional it looked, he had nothing to say for defence. He had to call someone from Microsoft Security who had to convince me to click the link, with money-back guarantee.

3. It's email

You never trust anything over email. If you have to take action, you read the email, then go take action through a separate channel. You get Azure alerts, login to Azure and take a look. You get notified of an invoice, again, login and manually take a look, don't trust email. If they wanted you to trust the email, they would use PGP, they don't, most people don't because they don't want you to trust them. Even if they do, still manually verify, this is phising is 101, they teach this in grade 6.

4. Whitelisting?

Why do you have to whitelist? If the domain could be verified and had proper records in place, it would be verified. Suggesting you have to whitelist, proves you can't trust them and shouldn't. Never, whitelist a domain, if the domain can't verify itself, you sure as hell don't want to even consider trusting it, by accident.

I absolutely believe Microsoft has access and will hand them out without asking, even if you decided not to upload them. That's why I said use LUKS, it's better anyway.

I'm pretty sure that's the case in most versions of Windows.

We don't know and Microsoft has never gained any trust or respect, so, at best it's a slow head shake.

Simple, add a kill switch or perm lockout that activates if the computer is relocated. Then you can't get in, and there's nothing they can do, and you're not in contempt. If my server is moved geographically, and the scanner is not deactivated, when you boot it up, you'll have 1 hour to enter the override passphrase, and insert the Yubi key, before it will scramble several files.

What's in these files?

1. Consensual, legal, adult content, that I locked up when my kids were younger.

It has collections like InSex, Device Bondage, Infernal Restraint, the Upper Floor, and some others.

2. Several software projects.
3. Backups, which I keep an encrypted copy of.
4. My digitized music collection.

Without logging in I can't remember, and then on top of Vera Crypt, I have ZFS level encryption tied into the stack.

To be fair, I added that in case I was wrong, but I don't think you can easily prevent the upload, at least on most versions of Windows. Once Microsoft has the key, they have the key, and your data is not encrypted against them viewing it.

That's why I put an asterisk, and you have to assume they don't have it, but with Microsoft, you can't trust them, so don't.

To be fair, I'd actually use Vera Crypt or another technology to hide anything sensitive, and then randomly generate a massive passphrased > 256 characters. Save it into a password manager, and then if I was arrested, I couldn't give you the code. Furthermore, set a massive PIM, over 10k, and you're fine. The main objective is that BitLocker isn't encryption if someone can hold the key.

If someone else can get the key to unlock the drive, the drive isn't locked. The problem with BitLocker, at least in general, is that you don't control the passphrase or keys, and hence it's not really useful in the wider / greater context!

Look at LUKS, you control the passphrase, and if you choose, additive keys, and that means if law enforcement needs your drive, they can't side step you. The fact Microsoft can hand over the keys makes BitLocker functionally useless, and, really cuts to the core of the Microsoft security model. It's secure, providing you don't question it, or, examine it, and that's a major issue.

Canada might cover it if you're diabetic, and get it prescribed by a doctor, following certain guidelines, I'm not sure. The people I know taking it aren't diabetic.

Wow.

I don't know, in some limited cases they can cover the medication costs, or, the government might subsidize it, so I'm not sure. If the transplant was considered required, and done in a public insured subsidized hospital, through OHIP (for instance), they might send you home with the medication required for the recovery.

“Why wouldn't it be required?” I'm using that wording because of how things are covered, it's not clean, clear, or obvious. Canadian health care is a mess, and the government keeps worsening it.

That's hilarious! No, the “universal healthcare” is really just handwaving and complexity where parts get subsidized by public insurance. For the most part, your medication isn't covered. There are limited exceptions to that, but even with insurance, our medication costs are insane. In university, when I had two insurance plans, one from my parents, one from the school, my medication costs, with insurance coverage, were over 3k / month.

$5? That's insane, I don't know anyone paying that little, even with insurance. The cheapest I know of, from the people taking it, is just over $200 / month, and I really do know someone paying over $700 / month.